One Best Security Plugin For WordPress or Combination of Plugins?

1. Intro

Let me assume you are concerned about your website safety or have already been hacked. And you would like to know what is the best security plugin for WordPress out there. You might have heard of some of them and you don’t know which one to choose to make your site protected from hackers and malicious bots.

I’ve made a research on WordPress security plugins and solutions and would like to report my results and thoughts.

I’ve written this article with the following aim: to help you protect your WordPress site using security plugins, combinations of plugins and solutions (both free and paid) and help you understand why you may want to choose this or that WordPress security solution.

Although I published an initial version of this article in 2015, all the points of this article are valid today. I keep an eye on the main changes and update the article when anything significant should be added or modified. The conclusion is the first part that I keep up-to-date above all.

This article is one of the most popular ones on my website. And I keep it ever-green for the best benefit of you (my readers).

By the way, you can find A LOT OF of useful information in the comments. (Ctrl+F can be a good friend to save time 🙂 )

This article was last updated on July 12, 2017

2. Answers to what questions you’ll find in this article

What are the levels of website security? (hint: it’s not just a plugin)

3. Before we get into details… Or what I kept in mind when I wrote this article

Unlike many other bloggers who just list the most well-known security plugins and underline their features and benefits, I’d like to make it more detailed and useful for you.

My uttermost aim in this post is to help you with protecting your WordPress website and make security issues more clear for you so that you don’t just install a plugin or two, but could also understand more details about security.

Otherwise, if you don’t want to see what this or that security plugin or product does, you may get a false feeling of security or even break your website completely.

But you may say, “Hey, I just want the stuff that works and don’t want to read about security or any technical details! Just tell me what is the best WordPress security plugin and I’ll go!”

You desire may be reasonable (and I will answer this question fully in the Plugins and Solutions section), but before all, I’d want to say that I’d like you to become a frequent reader of my blog (and maybe a good friend, why not?)

And so I feel a big responsibility for what I tell you. That’s why I have to explain why this or that security plugin may be a good fit for your WordPress site and what limitations this or that security plugin has.

By the way, if you don’t want to take responsibility for your website safety and you’re not going to learn the basics of WordPress security), then go with managed hosting. A great and comparatively inexpensive choice for beginners is WP Engine (see my review here). They don’t just take care of your website server-side technical and security issues, but they will also fix your site for free if it gets hacked (they use Sucuri service for that; by the way – see more details about this service reviewed below in this article).

But if for some reason you don’t want to use managed hosting or some other mamaged solution (for example, in case you have a small budget or you prefer keep a fuller technical control over your website), then you may find this article very useful for you.

Alright, here we go.

4. The anatomy of WordPress security – general overview

In order to choose the best security plugin or solution for your WordPress site, you need to understand what different plugins do, what vulnerable areas and defensive barriers of your website they are designed for. If you don’t understand the basics of website security, then you may get a false feeling of being secure after installing some plugin that does not protect you as much as you thought (I repeat this idea, because it’s important).

So here’s the general overview of a website security protection nodes (I’m talking about personal or small/medium business websites, not corporate web applications):

This picture above will help you understand what you can control directly and what you can not control directly. As you can see on the simple image above, your website security can be presented within the following levels:

Some information below may be or may be not a breaking news for you, but I include it for consistency so that you could see the whole picture and the ways how your website can be compromised and protected.

5. Hosting and server level of security

Who is directly responsible for your hosting and server level security: If you use a shared web hosting (not VPS or dedicated server), then hosting and server level security is up to your hosting provider. They should setup properly their servers and protect them, set up network firewalls, organize a safe hosting account environment for you, do constant monitoring, scanning, auditing etc.

What if your hosting is managed not properly: If your hosting is poorly managed, then you not only get much more threats and attacks on your website (which is theoretically tolerable if you have a good website security), but your website can be hacked on a server level, kind of from the inside environment. And there’s no way you can fully protect from it on your own – only your hosting can do it.

How you can protect your site on this level: The best thing you can do is to choose your web hosting wisely and take into consideration hosting companies’ professionalism, and do not fall for shining misleading marketing of many hosting providers on the market.

6. Network level of security (web application firewall)

This is kind of filter between outer world and your website. It’s purpose is to additionally protect your website from malicious traffic (spam, bots, DDoS attacks etc) and hacking attempts providing more performance to your website.

Who is directly responsible for your hosting and server level security: It’s you who decide whether to use this additional level of your website protection.

7. Client level of security

Use safe network environment (e.g. don’t use sensitive data when using public wifi hotspots).

Take basic security measures to protect your sensitive data (e.g. don’t keep your passwords written on sticky notes that can be lost or stolen).

Be cautious when working online or with alien files and programs (e.g. don’t open emails, files or URLs that look suspicious).

Who is directly responsible for client level of security: Of course, it’s you 🙂

What if you fail to secure your computer and your action online: If you fail in this area, your website may be contaminated via the files you upload to your website or simply your password can be stolen by malware program.

Here’s the main part of this post. It’s about hardening your WordPress site and using plugins, products and services to secure you website.

Who is directly responsible for this level of security: If you do the technical part of maintaining your website on your own, then it’s you who is in charge of it.

But if you don’t want to do WordPress security yourself, the very cost-effective solution is to choose a fully-managed hosting that apart from many other things provides necessary security for your website so you feel confident.

What if you do not secure your website on this level? Sooner or later you will be hacked. Malicious bots and human hackers first of all target the easiest websites. So if you don’t do proper preventive security measures, it’s very likely that you’ll be hackers’ victim soon.

What you can do to protect your WordPress site: I will talk about it below in this post. For now, I will just list the areas that you should be aware of in order to be sure that you handle your website security properly.

Here is what you should pay attention to when securing your WordPress website:

Scanning (find vulnerabilities and hacks before they do too much harm for you)

Post-hacking (restore or clean up your hacked online assets the most effective way with the least losses)

The above list is important because different plugins and solutions focus on different areas above. So WordPress security is not a simple thing, but as you can see, it is a complex issue. And all aspects of website security are not covered very well by one single plugin (unlike many people may think).

I know that most people don’t want to do anything until it may be too late. If you one of these people, I’d recommend you focusing at least on basic protection and post-hacking strategy. It will let you avoid most hacking issues and restore your website (almost) without losses.

Having said that, if you think you don’t want to deal with any plugins yourself and you don’t have a budget to go with managed hosting, then do at least some actions and follow approaches from this article about securing WordPress with your own hands and free of charge. It’s basically about updating regularly, having a strong password and always keeping a fresh backup of your site. If you do at least this, then you are already more protected that an average website owner.

Although WordPress itself is a pretty secure thing, there are weak spots in its security which are themes, plugins and a lack of expertise or awareness of an end-user. That’s why WordPress sites get constantly hacked. It makes security plugins a hot topic.

So next sections are about plugins and solutions that will help you enhance protection of your WordPress site.

9. Plugins and solutions to protect your WordPress website

How to choose a security plugin – General factors for consideration

Before all, I’ll emphasize one more time – no single plugin is designed to cover all aspects of WordPress security. For a complete security protection you need to use a combination of plugins and/or paid products and services and be security-concerned while you work online in general. You will see below suggestions on both single plugins and complete solutions.

One of the ideas how I could structure this article was making a comparison table of security features that different plugins offer. But I decided not to go only this way and here’s why:

Judging only by a number of features is not the best way to choose a security plugin or product, because the competition of which plugin has more features after some limit becomes kind of marketing game and not really useful reasoning.

Features should be taken into consideration, but it’s better if you understand the overall principles of security, otherwise you can be misled by a mass of security slang words and user interface sugar promises that can be really good but not the most important thing.

In addition to considering number of features, I believe it makes a lot of sense to focus on the most prominent features and areas that this or that plugin is very well designed for (the areas are listed above, and I repeat them now: protection, scanning, monitoring, post-hacking).

The tricky thing is to know (or trust a developer) whether each feature in a plugin works properly.

What also matters is efficiency of security plugins (or solutions) and users’ feedback.

The convenience of plugin usage plays also an important role (especially for newbies) considering everything else equal.

Professionalism of developers is also a very important factor, not only because security is vital, but because it’s a constantly evolving sphere that requires dedication, fast and reliable updates. That’s why it’s not recommended to use security plugins developed by amateurs, for marketing purposes, or abandoned plugins.

The list of cornerstone security plugins that are featured in this article

I’ve chosen the most well-known and established WordPress security plugins developing companies and brands that offer comprehensive security solutions and have a good reputation according to wordpress.org feedback:

Sucuri Security

iThemes Security (former Better WP Security)

Wordfence

BulletProof Security

There are also some well-known plugins that are targeted not as comprehensive WordPress security solutions, but focus on some specific areas (for example, firewall, authentication, backup tools). I’ll mention some of them in this article as well.

Disclosure: Please note that I haven’t tested in-depth the mentioned plugins and solutions against actual malware, backdoors and attacks. But these both free and paid products are very well-established and are ones of the best on the market in this WordPress security segment.

My research results and ratings are based mainly on features that these security plugins and solutions have as well as on information and reviews found on the web and from my readers. Also I take into account my own experience with the products.

Sucuri company’s general overview

Sucuri is a company that specializes in website security protection, monitoring, scanning and cleaning up.

Sucuri’s market advantage is that they have developed a unique functionality of a semi-automated mechanism of website cleaning up. So you can get you website cured (and then protected for a subscription period) for a unbelievably low subscription fee.

Sucuri offers 3 products (one of them is free) that covers a full range of protection, monitoring, scanning and post-hack cleanup solutions for WordPress.

Sucuri is founded and managed by web security technicians rather than marketers. In my opinion, from many perspectives it may be considered as a huge advantage.

Remote website scanning (powered by Sucuri‘s service SiteCheck) is to check if your site is hacked, contaminated or blacklisted. (Hacking/contamination scanning is not in-depth compared to a paid Sucuri Antivirus, but it’s good and convenient considering it’s free)

User experience

To activate the Sucuri Firewall all you basically need is to change your A record for your domain. If you don’t know how to do that, you may open a support ticket and the support will do it for you.

Also, you may fasten your website by enable caching option and specifying optionally a server location (for example, if your traffic goes mainly from the North America, you select US server location). By the way, according to my research Sucuri Firewall made my website faster by 2.3 times.

Also consider using paid Sucuri Antivirus solution, which already includes Sucuri Firewall. (I review it in the next section below.) In this case you can set up the Firewall within Antivirus dashboard.

Other notes

Although Sucuri Antivirus is quite a complete solution, consider combined solutions below in this article that add up backup system and additional authentication protection.

Also, it’s worth saying once again that Sucuri Antivirus offers unlimited cleaning up service which means that without additional charge in case of your website contamination it will be cleaned up from any malware, blacklisting and everything that goes or may go with it. It’s a winning advantage among other product I review in this article.

iThemes also offers packages that include not only security products, but also backup service, themes, WordPress management and other plugins, which can be cost effective when bought together.

What the free iThemes Security plugin does

The most prominent features of this free plugin are:

A prioritized to-do list of security-hardening items to help you protect your site with 1-click for each security item

File change detection (it compares files with their versions saved at a previous check to help you find out if the changes were made not by you)

Remote website scanning (powered by 3-d party service – virustotal.com) which can identify if your website contains virus or other malicious content. (Note that it’s not in-depth scanning tool and can not be used as a comprehensive alternative to a antivirus/scanning software that is installed locally on your server).

User experience

The plugin may seem to have a lot of settings (which can be a bit frustrating for a newbie), but on the other hand it gives more control and flexibility.

Logging (as a part of monitoring) is detailed but at the same time it may be overwhelming or not friendly for a non-technical newbie.

It may cause some server load when working with file change detection (may cause slowdowns or other issues if your server is not good enough – it’s recommended to have 128 MB of RAM on your server).

Other notes

Since free iThemes Security plugin offers some powerful features, some people experience troubles with their websites when starting using the plugin (in general, any plugin can break something in your website, so make a complete backup before installing plugins).

Rating chart for the free iThemes Security plugin

iThemes Security plugin

Price

Free

Protection

Quite good, but would be more efficient with firewall features (see Combination of Plugins section below)

Scanning

Not in depth, but good as a free product

Monitoring

Provides detailed log of file changes which is great if you are a bit tech-savvy, but newbies may find it not friendly

Post-hacking

Not a complete solution - provides only scheduled database backups

Beginner user friendliness

Some parts are easy and clear, some parts are more technical and settings may seem a bit puzzling for a newbie

Overall

Good plugin. Recommended to use with other plugins and/or solutions (see Combination of Plugins section below)

Other notes

In my experience Wordfence’s scan did not work (could not start) after I installed Sucuri and iThemes security plugins. Even removing all these plugins and re-installing only Wordfence did not help.

I did not investigate this compatibility issue this time. I just re-installed my test WordPress site, installed Wordfence and its scan did work fine. It does not mean that either of these plugins is bad or not reliable. However, it means that they may not be compatible with each other in some environment.

Rating chart for free Wordfence Security plugin

In depth, of one the best among free options. And paid version offers even more versatile scanning and more convenience

Monitoring

Great live traffic monitoring, file change detection with showing what has changed, automatically once a day, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly. (Paid version offers a scheduled scanning)

Post-hacking

It can help you to find what has changed after the incident

Beginner user friendliness

Clear, easy, with explanations

Overall

Its advantage is in-depth scanning and live traffic monitoring - very good for free product

User experience

From a technical point of view it’s the same plugin as the reviewed free Wordfence Security plugin but with additional features.

Rating chart for Wordfence Security Premium plugin

Wordfence Security Premim plugin (paid)

Price

$99/year and less depending on number of licenses and years

Protection

Thanks to application-side firewall, bruteforce and DDoS protection

Scanning

The core functionality is as in the free version, plus scheduled scanning

Monitoring

Great live traffic monitoring, file change detection with showing what has changed, automatically once a day and scheduled, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly

Other notes

Apart from set-and-forget protection via htaccess files and backing up database, it’s also like a set of utility tools that users should be able to handle easily if they do their website security themselves.

Don’t be afraid of seemingly complicated interface (if it seemed to you so). Even if you find it not very friendly at first, it’s totally worth making an effort and spending some minutes learning it to start enjoying its performance.

In my opinion, it is the product of choice if your primary concern is protection (the product focuses on protection. Monitoring is also a solid feature. Other aspects such as in-depth scanning, or after-hack cleanup are less developed. This is a fantastic software in the right hands (the plugin provides the best value for technically -skilled users). In addition it’s very affordable.

9.10. Other plugins

For this article I have reviewed some of the most-well known, comprehensive and established WordPress security plugins. But there are more plugins. Many of them do not cover WordPress security quite fully, but they do their work well on their targeted areas.

If you want to protect your WordPress site on your own (especially without using paid products), then you may want to maximize protection of your website by combining plugins. I describe some effective combinations of security plugins below.

Why one plugin may not be enough

When it regards security protection and malware/contamination detection, no single plugin (even a paid one) can give you a complete solution and 100% preventing, protection and detection. Different software work in different ways, covering just a part of security threats and issues. And if you want to maximize the effect, you may want to use more than one plugin.

A note about how I combined plugins into suggested security solutions

In the sections below I describe combinations of plugins trying to find a good balance between price and functionality.

In each suggested solution below I put one of the paid products from the reviewed companies as a starting point.

Also I suggest fully free (but still effective) security solutions.

Warnings before combining security plugins or solutions

There are several issues that you need to keep in mind when making a decision on combining plugins for your final security solution:

Security plugins from different providers are not promised to be 100% compatible;

Some security plugins may conflict or break other (non-security) plugins;

The more plugins you use, the more work you need to do and more time to spend managing/monitoring the plugins;

There’s risk that using many security plugins will do more harm than good (e.g. blocking you or the whole traffic or even break your site, excessive information, wasting time dealing with it and so on).

So how many and which plugins do you need?

It’s the question of the balance between your expertise, the level of your website security you need and the efforts/time/money you want to spend setting it up and managing it.

Here are some effective WordPress security solutions that I have compiled below.

10.1. Free minimalistic no-heavy-security-plugin solution

Overview

Some people find it difficult or reluctant to setup and manage powerful security plugins. Also, people may want to minimize the number of plugins they use (for example, to avoid risks of damaging website with the plugins and/or have more control over the website).

It contains mostly protection measures (that need to be set just once) and important solid pieces of advice on website security.

Rating chart for free minimalistic no-heavy-security-plugin solution

Minimalistic security solution (free)

Price

Free

Protection

Effective, but not complete compared to other suggested solutions

Scanning

Does not do it

Monitoring

Does not do it

Post-hacking

Does not do it (however, the article reminds you to have a fresh backup)

Beginner user friendliness

Some protection measures may seem a bit complicated for a total newbie since it requires editing core files

This solution suggests some effective protection measures (need to be set only once) as well as explains some underestimated website security threats and safe onine habbits that everyone should consider.

Other notes

I also suggest reading this article – it can help you as well in addition to this solution.

If you have issues with plugins compatibility or you need other features, consider replacing plugins with other ones. When you do website protection yourself, you’ll need to gain expertise (if you don’t have it yet) by learning and trying.

– General overview of full solutions based on a cornerstone paid product

The advantages of the full solutions:

Advanced protection, scanning and monitoring (each solution below features one or more leaders in WordPress security)

Full backup solution which means that you can restore your website from any point or restore single files. (Imagine, that experienced hacker or a new hacking script broke down your site, or even it was you who made some unwanted changes like breaking a website or deleting some data, or your hosting did a bad job and lost your data – you’ll need the most recent backup)

10.3. Full Sucuri Protection and Backup Solution

Overview of the solution

This solution features Sucuri‘s product, which apart from a lot of other useful things allow your website get cleaned up from malware and other contamination, restore ranking in search engines, getting whitelisted again etc in case your site was hacked and blacklisted.

Hints for the interactive table above: – Click on the name of a solution in the table above to display scores for that solution. – Move your mouse over the table above to see score summary. – You can sort the table by clicking on the area above or below the columns.

If you have issues viewing the interactive table, see the screenshot of the table below.

Please note that the given scores are just approximate estimations of the plugins/solutions functionality. Besides, ‘Overall’ column is calculated automatically and its value is rounded, so it’s also an approximate evaluation.

12. WordPress security plugins compatibility

I have not researched compatibility issues in-depth, but there are some notes that can be useful to you

Some features of plugins may overlap or not compatible between each other, as well as not compatible with some hosting/server configuration. If issues arise, support tickets or plugins’ support forums may help.

And here are a pair of compatibility issues and resolving tips:

iThemes Security/Better WP Security is not compatible with BPS or BPS Pro (some more details here)

BulletProof Security & Sucuri – scanning compatibility issue and how to resolve it is here

Sucuri and WordFence Scanning Conflict and how to resolve it – see here

Sucuri’s forbidding PHP execution in wp-content directory may stop Wordfence from working. If you experience this issue, you need to make sure you don’t forbid PHP execution in wp-content directory (it will weaken your protection though). Some more details are here

13. WordPress security plugins and products features comparison table

While working on this article I’ve put together features of the security plugins/products for comparison to see what functional areas they cover.

It’s the most hassle-free solution that covers the entire security of your website. And you are completely covered in case of hacks (if you get so unlucky). The Sucuri’s team will clean up your website unlimited times at no additional cost if your site is hacked or gets malware.

It’s one of the best solutions when it comes to dialogue between the complicated topic (website security) and a consumer (user). Its breakdown of protection measures in a to-do list manner is just very natural (and even educational) and so intuitively loved by users. Also it has a good monitoring functionality. And it’s free.

If you make just very first steps in securing your website, or don’t want to deal with serious security plugins for any reason, then look at the free minimalistic solution.

If you had to install only one security plugin and you want it for free, check out Bulletproof Security (free). This plugin is not heavy, effective in its performance and focuses on protection which is the most important part of your website security. Click here if you want to go back to the description of this plugin in my article above.

If you had to install only one plugin or product and price is very important to you, then I recommend Bulletproof Security Pro which is super affordable, focuses on protection (the most important part of your WordPress security) and does its work very well. Its monitoring options are also very good. Click here to go back and read about it in the article above.

I hope you enjoyed the article! You can read my free researches on resources and tools for bloggers and small business owners on this website. By the way, if we haven't met before - my name is Michael Bely.

Comments

Hi Michael , This is Vrey Interetsing Article Really Ammezing Information and Guide lines , I agree with You Superb and Good Points , very Long WordPress Informative Plugin Best Security Guide , Thanks a lot For Sharing me , its my First Visit Your Blog i am Really inspire Keep it up Have a great week,

Hey Jassica, Thanks for your feedback! By the way, it’s not your first visit to my website 😉 – I see you have already left a comment for the article about hosting companies to avoid. And I’ll be happy to see you again!

Hello Murad, Thanks for visiting my website again. Feel free to subscribe to the updates (if you have not subscribed yet) to get notifications to your inbox about my new posts when they come out. As regards links you are asking about, it’s a free plugin “Table of Contents Plus”.

i have subscript now I’ll verify it when i open from my personal pc. thanks for the plugin.

one thing here i need to make sure of, before i was only using one plugin “Wordfence”, but after this great research i need to ask you. if i use Wordfence with Sucuri Security and BulletProof Security, does this affect my website slow ? i mean did this three plugins make my site slow ? mention that i use hostgator hosting plan.

In brief, BulletProof Security does not slow down your website since it’s a neat firewall on a .htaccess level.

SucuriSecurity (free) includes a scanner that is not heavy, so I would not bother about loading your website too.

But Wordfence may be a heavy-loader for some websites, since it’s a in-depth scanning tool and real-time traffic view. It depends on your website though – the more you website is, the heavier the more noticeable the load may be. So you will just need to run the scanning and see how long it lasts for your website and if it loads your website site during this time.

Hostgator is EIG brand that is not respected at all by professionals. EIG can turn off your website without any prior notice if they think you can be using some heavy plugin. I’ve seen cases when Hostgator switched off sites blaming that some plugins including Wordfence are loading the server without looking into the issue properly. A decent hosting company should assist you to resolve the load issue if there’s such and not just cut you off without letting you know. But if you have not a big site, perhaps it can be ok for you.

I have VPS hosting with a company owned by EIG. When I recently upgraded Apache and PHP there were warnings in the PHP installation logs. The culprit was a Worpdress rule in an HTACCESS file in the root drive of the server. I couldn’t get a proper response from the company due to the PHP upgrade warnings and this file. I have been considering moving my clients websites for a while and this has jus confirmed my good reasoning for moving. Thanks for the list of decent providers in your other article.

Excellent article and I am really glad that I found your site, a lot of interesting reading there. I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this? I run my website on VPS and considering switching the firewall from ModSecurity to Sucuri WAF. Yet, I still have to make the decision regarding going with Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof” (10.6. BTW, you mentioned in another article that this is what you’re using). One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions. Obviously, nothing comes for free but I would be interested to learn which out of these two has heavier toll on performance. In other words, what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

> I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this?

Yes, this article is up-to-date. This is one of the most popular articles on my blog. And I update it each time when I notice anything needed to be changed.

> Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof”

Bulletproof security (BPS and BPS Pro) requires some technical knowledge for the most efficient use. Sucuri WAF and Sucuri AV are very easy to use. At the same time Sucuri (both AV and WAF which is included in AV) is considered to be the most efficient product on the market in this segment (website and web applications security). There are more professional services for bigger enterprise usage, but their prices are like 10x times bigger (i.e. simply another market segment). Also, as regards the most important differences that matters a lot for a typical user, option 10.3 (AV) includes among others unlimited and free clean-up in case of virus,malware etc contamination. Option 10.6 does not include it (Sucuri WAF does not go with clean-up option).

> 10.6. BTW, you mentioned in another article that this is what you’re using

I’d go with Sucuri AV, but this is too expensive for me right now. In fact, I decided for now sort of to wait till I get hacked (if this happens one day) and then I will order Sucuri AV which includes clean-up from then and forever 🙂 Maybe I will go with Sucuri AV sooner (as soon as I get more budget). After all, option 10.3 is my desired aim. For now I ignore monitoring and scanning options, focusing on protection and backups (that’s why Sucuri WAF (external firewall) + BPS (internal firewall) + Backup solution is enough for me for my website at present time as a minimum accepted solution for my website).

> One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions.

That’s true. I don’t have a detailed research on performance for these options. But meanwhile I mention in the article which options are significantly more resource-intensive. Sucuri (WAF and AV) and BPS (BPS Pro) are the least demanding from this perspective. In fact Sucuri WAF even improves performance thanks to caching level (sort of CDN, but not really a CDN). I even have a test-based research on it. And BPS plugins are super light-weight (it does no scanning, so it’s quite seamless).

As regards iThemes and especially Wordfence, they are making harm too often IMO to limited resources of the server, since all the works is done on your server (these guys are the plugins). Especially on shared hosting. Although on VPS it can be fine. But again it depends on your website size. I haven’t tested these guys on VPS nor I haven’t paid special attention to reviews from VPS users. But I know for sure shared hosting users often complain about performance issues (especially this is so for Wordfence). Sucuri’s core software is based on their servers, which makes it very comfortable for your server to use it.

> what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

I have no research on this, unfortunately. But in fact I don’t really think this should be a question. Both options raise no issues with performance, although these two product do different things. BPS does no scanning as Sucuri AV does (the most resource intensive operation is scanning). And Sucuri AV does the scanning very carefully and gently (e.g. compared to Wordfence). However, if we compare options 10.3 and 10.6, then 10.6 is much more heavier because it includes Wordfence which features scanning. Option 10.3 includes Sucuri AV which does the scanning much more efficiently from a server performance point of view (and also AV is more efficient from contamination- and other security malfunctions-finding perspective).

Also, compared to plugins, Sucuri AV is the next (or simply another) generation of products. Option 10.3 is not only the best and easiest practical solution for most users (especially without deep knowledge and desire/ability to analyze server logs), it’s the least server resource-demanding. The only its disadvantage is the price.

Thanks for such a detailed response. I’ll follow your advice and switch to Sucuri AV package, it is $80/year more than Sucuri WAF but I want simplicity and a piece of mind, I run business website and any outages/downtime cost us a lot. Once again, thanks for such a great website, you got another dedicated subscriber here 🙂

Hello Michael, I’m talking about the combination between ninjafirewall and iThemes Security. Is there a better combination between iThemes Security and Full Sucuri Protect? I think it’s a more save money solution.

Oh I see now. Full Sucuri Protection includes is a powerful and hassle-free solution – it’s not just a firewall, but also in-depth scanner and unlimited auto-hack cure service. So you can’t replace it with Ninja Firewall. But if you meant Sucuri Firewall (which is a part of Full Sucuri Protection), then yes, to some extent (only to some extent) Ninja Firewall can replace it. For instance, Sucuri Firewall is an external service that sanitizes your traffic, whereas Ninja Fireall is still a part of your WordPress site (which is less secure).

I tried to use, sucuri on my website! However, I have a feeling my website became slower after IP pointing to Sucuri (1-1,5s & ping my website from 4ms increased to 60ms)! I am considering between security and performance! This is really not easy! Why i don’t see you mention CloudFlare? Is it not good?

Ping time increase to 60 ms is not an issue if is taken as a single factor in my opinion. If you are concerned about the speed, you may contact their support or try do the tests yourself. For example, I like a free service http://www.webpagetest.org/ to see the full page load time for my websites. But be aware that there are many factors that influence the speed of your website. Maybe too many for not an expert – starting from your shared hosting environment load and caching of your website and finishing bottlenecks on the traceroute way and the client’s browser caching and CPU load.

So in short, I don’t think Sucuri typically causes a speed issue. Even quite the opposite – it can improve the performance. If any doubts or you think it’s a real case, it can be an isolated issue – simply contact their support.

As regards CloudFlare, it’s a CDN first of all, whereas Sucuri focuses above all on security.

Just wanted to drop a note to say thanks for putting together this in-depth article.

I use iThemes Security Pro on several sites & Wordfence on a couple of others. They both seem to be effective for what they do. I am also going to add the Sucuri WAF Firewall to all sites…it’s hard to argue with it at that price.

Great round-up. Really good effort. My only question is that iThemes is not recommended at all in your conclusion? Is there are reason it doesn’t make the cut in comparison? I’ve had good experience so far using Sucuri, WordFence, and iThemes – individually, and together. You do seem to favour Bulletproof above the others? (And the link to the Pro version is an affiliate link). I don’t mind you making a $$$ either as all the other links are free/direct links. BUT does that bias your conclusion? I guess the Conclusion I want is almost a 1-liner for each product, about why one is 1st, 2nd, 3rd, or 4th? Don’t get me wrong, great article – but WHY Bulletproof above all the others? And why not iThemes at the finish. 🙂

Sorry – I stand corrected. It’s not an affiliate link to Bulletproof. It’s their stoopid domain name!!! So I take back anything relating to $$$ bias. BUT my questions still stand about why one over the other – in 30 seconds…. GO! 🙂

I’ve got no affiliate links to any security plugin at all. So far at least. But I’d add them if I could, because all of these products are great.Update from October 22, 2015: I do have some affiliate links now.

As regards one-liners, it’s a good idea to make such, although it would be a (sort of misleading) simplification. I even hesitated very much whether to include a final comparison chart with star rating or not. It makes more sense to me to compare stronger/weaker sides of each solution like I did when analyzing them one by one.

Anyway, here are summaries emphasizing the strong sides of each product:click here (will open in a new window – I added it in the article)

Besides, it’s true that I favor BulletProof security, because it’s very lightweight and truly efficient in terms of protection, and absolutely not expensive (or even free). I just love such solutions that work very well without side effects. And its free version is very good. Maybe even too good to be free 🙂 One big caveat though that many beginner users mention is that it seems too technical for them from the first sight.

By the way, it’s not Bulletproof above all the others in the conclusion, but Full Sucuri Protection and Backup Solution as a complete and easy-to-use solution 🙂 But it’s expensive.

And here’s about iThemes.

Before all, I did not mean don’t use it. Quite the opposite – I recommend it, if it’s what you need. And see the analysis in this article to see if it’s what you need.

The point is that the solutions presented in this article are doing their work differently and sometimes target different segments of website security (such as protection, monitoring, scanning etc). User is better to understand these segments to make a right choice without being misled by a false feeling of security.

So, each plugin has its weak sides (for example, price, server load, compatibility, or the fact that they cover some segments of website security worse compared to other plugins).

iThemes is a strong solution, so if you use it and it works well for you well (no conflicts with other stuff etc), then it’s really fine.

If you use its paid version, then the only thing to enhance is taking care of your backups (a must for everyone). Also you may consider using a true website firewall (e.g. Sucuri CloudProxy) if you experience heavy ddos/botnet attacks and other malicious traffic assaults that load your server.

The reason why iThemes is not in the conclusion section, because the conclusion is my personal recommendation for those who finds the article difficult. I could include iThemes paid version to the conclusion, but then it would be logical to include paid version of Wordfence as well etc. But in this case it will be a sort of repetition of “Combination of plugins/solutions” section. I needed to make choices narrower.

Also, iThemes is not compatible with Bulletproof Security that made it impossible to mention it in combination with other plugins.

The conclusion part is just my own answer to the question “Ok, all of these plugins/products/solutions are great, but what would you finally recommend after all from your point of view for different kinds of users?” So I answered it my way, considering balance between efficiency, priority (which is protection IMO), budget and user-friendliness for different kinds of users.

Hi Ray, I guess $19.88 is the price for one installation (website). So, in your case I guess it will be 30 x $19.88. But go and ask them directly (e.g. via online chat form). Maybe in your case they will give you a bulk discount (why not try asking? 😉 )

Do you have any experience with the All In One WP Security & Firewall plugin (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall)? I’m at the stage where I will need to increase security measures on 20+ WordPress sites and we’re looking for the best fit in terms of a free solution that will work across the board to supplement a couple other paid security products (SiteLock through GoDaddy and HackAlert through SiteGround).

I’d love to hear if you have any thoughts about the AIOWPS plugin and how it might rank against (or in combination with) your other recommendations. The main reason I ask is that we already have this plugin installed on all our sites, though we have little experience with the other plugins in terms of comparison. The easiest approach for us would be to simply add on another plugin or two in addition to AIOWPS, but we are ready to start fresh with a whole new configuration if needed.

I’ve wanted to include All in one WP security & Firewall plugin in this article, but it just overlaps other plugins, so I decided not to clatter my article which is already too big for one read 🙂 Anyway, AIOWPS is a good thing.

If you want to increase the security and do it for free, and if you use Appache (and not ngnix), then the best thing I can recommend for you is Bulletproof Security plugin. It’s very light and very effective from protection point of view. Its free version is very powerful, and its paid version costs comparatively very little and has unlimited license (it can be installed on as many websites as you want).

However, I have not investigated very deep, if it’s compatible with AIOWPS. But I think it should be. If you decide to use a free version of Bulletproof Security plugin, you may install it on one of your websites and check if it works fine. And if you want a paid version, I think you can also contact its author and ask him to make sure about compatibility with your environment. You are welcome to let me know in the comments how it will go for you.

Also, I’d recommend above all is to have backup strategy, because it’s much more important than any other measures (it’s obvious, but just in case). If you already do backups regularly, then that’s great, I’m repeating this for other readers 🙂

I explored BulletProof a bit and have ended up purchasing the Pro version. It really is, like you said, a fantastic deal and the support has been top notch. There’s definitely a learning curve but, while discovering how to use this plugin, the instructions are also teaching me a lot of things about website security that used to seem quite foreign (it’s almost like you get a free web security training class along with the plugin!)

I reached out to the developer of BulletProof and he didn’t think there would be any conflicts with AIOWPS. However, since BulletProof basically generates the .htaccess file for the site, I would need to place any AIOWPS .htaccess code (such as IP blacklists) into the BulletProof “custom code” area manually. This wouldn’t be too difficult but I’ve actually removed AIOWPS for now anyway as it seems BulletProof has us well covered.

I am still planning on using the “BBQ: Block Bad Queries” plugin and possibly the “WP Security Audit Log” plugin as well for extended protection and functionality. We do have great backup systems on our GoDaddy Managed WordPress and SiteGround shared hosting environments, so if we can combine great backups with a good security system that has great monitoring, then even if something does get hacked we will hopefully find out about it right away, be able to revert to a backup, and patch the issue swiftly.

Great article ! I gonna buy your solution 10.2… for free. Exactly what I was looking for. Thank you so much. You’ve made me save precious time for a WP beginner carrying a huge project to change the world 😉

I prefer combination of plugins. I am using iThemes security, Wordfence security, Anti-malware by ELI. These 3 can offer you great protection. Scan every week with Anti-malware by ELI and block IP’s manually in Wordfence security, add 404 protection and protect your important WordPress folders with iThemes security. why iThemes because iThemes Security now uses Sucuri SiteCheck. 🙂 My site speed is great so no problem if you use combination of security plugins.

Thank you very much for all the effort you’ve put into this research, it was very useful. I chose the 10.2 option. I was just wondering why you recommend all three plugins (BulletProof, Sucuri and WordFence). I know it’s never too much security, but some functionality is redundant, like the Login Security, and now I’m confused what I should be setting up on each plugin. I’m a newbie and I’m eager to learn how to protect my WP websites. Could you help me out? (more than you already have)

Thanks Ricardo for your comment. I recommend all these plugins because they together cover different segments of security (protecting, scanning and monitoring) for free. For redundant functionality, just choose what you like most or what suits you better. Section 10.2 covers all these segments for free.

IMPRESSIVE ! That’s the only thing i can say. Impressive amount of data. I don’t even know if so called expert know as much on WP security and i have just read the google sheet comparison table. KJeep the good work.

Michael, I hate to ask but… did you receive any incentive or product licenses for this review? It’s very impressive and in-depth, but I was surprised All In One didn’t make the list. (I have no connection with AIO.)

The story behind this article is quite simple. I just wanted to compare very well-known and popular security plugins or products and make up a couple of strategies for securing the WordPress website.

Since there are many security plugins, I just took some of them. I could not take many, because it would make my article even bigger, which was not what I really wanted.

So, I’ve chosen the plugins and products to review simply by how popular they seemed to me after quick overview in Google search and in different blogs. Those four products I’ve selected just seemed to me more frequently noted and recommended by both marketing and technical bloggers. That’s it.

And the article already took so many time and I wanted to finish it as soon as possible without sacrificing the quality of the article. The idea to include some more security products or plugins into the article just made me sick 🙂

That’s why AIO, as well as many others just did not get into the list.

Answering your question about compensation – no, I did not have any connection with companies or the plugins developers or compensation for writing this article. However, I’ve become an affiliate of Sucuri and BulletProof premium products because after my research I have come to the conclusion that these products are the best in what they do among the others in my article. But I joined these affiliate programs only after several months after I published this article when I realized that these products had affiliate programs 🙂

As regards your issues with WordFence, I see you make valid points regarding functionality and UI. Let’s see if (how) the support will answer you. Anyway, if there’s something not functioning, it should be fixed.

sounds good — I thought your work was too indepth and personal to be a marketing effort, and I’m happy to hear you did this honestly and properly.

glad you liked my comments about WordFence — hopefully they improve! honestly, none of the products have had 100% of what I wanted, but AIO + IP Blacklist is what I’ve settled on for now. I hope they all improve so I can reduce the number of plugins on my sites!

Hi, In 10.3. Full Sucuri Protection and Backup Solution you mention that you use CodeGuard in addition to Sucuri which has a backup option. Since I understand Sucuri now includes the backup option in the pricing, is there no need for CodeGuard with Sucuri?

Hi John, As far as I know Sucuri backups is an additional service. However, I’ve just asked Sucuri support about it to make sure, and here’s the reply:

Hammer: Hi Michael how are you today? Michael: Hi, do you include backup option in full Sucuri protection price? Or is backing up payed additionally? Hammer: Backup is an addon runs 5 per month per site or 60 a year 🙂 Michael: Okay , I’ve got it! Thanks Hammer: No problem happy to help

Anyway, CodeGuard is a more powerful and backup dedicated solution. And CodeGuard is even cheaper 🙂

Great article Michael, I have my site on a shared window hosting server, so I think Bulletproof is not a good solution for me as it uses .htaccess. Do you suggest any plugin which will work good for window hosting. I also don’t want to slow down my site while protecting it.

Hey Anu, According to BPS description, it’s compatible now with Windows IIS. Feel free to contact its tech support to make sure how to make it work in your case. Alternatively you can use Sucuri Firewall (CloudProxy) service. It’s great and very easy to setup and seamlessly to use. Both BPS and Sucuri absolutely do not slow your site down (I’m using them).

After trying all of the above plugins independantly on a local install of WordPress I opted for bullet proof security pro. I am wondering why you only gave a post-hack of 2 stars with regards to my two points below:

1) It’s file monitoring and file backup restoration looks excellent. On a live site any changes in the WordPress backend to my Gantry 5 framework custom made theme files were immediately quarantined. Even with a manual restore of new or altered files within bullet proof security these files were again immediately quarantined as they should be. I then went through the proper procedure to mark these files as safe.

2) The DB backup scheduling can be set to hourly with the backup sent by email so surely this should warrant more than a 2 star rating – can you elaborate more on why you gave it such a low score please?

First of all, thanks a lot for your thoughtful comment. And I appreciate you taking security things seriously.

As regards the score for BPS Pro. Above all, BPS is a great stuff and I’m glad you also have this opinion after checking it out.

Regarding post-hack score particularly, BPS Pro indeed has feature to backup standard WP files. It’s not a complete website backup as CodeGuard makes, but anyway this is much better than simply scheduled DB backups. Not sure how I missed files backup feature of PBS Pro, but this is a good reason to make a score for BPS Pro’s post-hack higher.

As for quarantine, this feature is eligible for Monitoring in the first place. And monitoring score for BPS Pro is pretty high. Of course, quarantine feature can assist with post-hacking procedures as well.

After all, I agree with you, that considering files backup restoration option, the post-hack score should be higher for BPS Pro. I will fix it and make appropriate amendments in my article soon.

Many thanks for your reply. I was a little premature in my post as I have had more time to really look at the pro version of BPS.

I am interested in your reponse about the BPS pro backup feature. I’m not sure what you mean by saying that it doesn’t have a complete website backup. It does have individual functions for backing-up, deleting and restoring all root files; wp-admin folder files; wp-include files; wp-content files and even functionality for creating back-up’s of custom files and folders.

The quarantine function of files is so good it became a nuisance as I was working on a site and edits and additions weren’t viewable on the front end. Using the in-built auto-restore just leads to an automatic quarantine again unless the proper procedure to mark files as safe is implemented. This is fantastic monitoring and post-hack functionality is it not? The database also has a monitoring tool that can be set to check changes to a combination or all of the database tables as often as one minute with email alerts. If the database is compromised it also has an in-built database comaprison tool to check and see changes to the database – couple this with regular database backups sent by email this seems to be an excellent monitoring and post-hack restoration solution.

I would be really interested on my thoughts about this as I’m new to WordPress after many years as a Joomla user.

Hi Phil, Before all, I’d like to thank you for your valuable comment and let me note that although you are new to WordPress, you are more skilled than a vast majority of WordPress users. Most people simply are afraid of using BPS since it is not that sexy from a beginner user’s point of view. You can easily deal with BPS and you are kind of a user this software was exactly created for. As regards BPS Pro backup option, it’s great, but unlike CodeGuard backup (or some other backup services) its user experience is not that smooth, and as far as I know, it does not allow to send backups to a safe off-site place (sort of a cloud storage). Sending backups by email is cool, but this is limited or more risky by design (e.g. possible issues with backup size, not incremental backups, dependance on email functionality). As regards post-hacking, before all, a typical user will find BPS Pro more difficult to use to restore a website after a hack. The user needs to be technically skilled enough to use BPS Pro properly so that when a disaster happens, the user could have everything under control, organized and at hand to restore the website without any hassle. Also, BPS Pro does not have malware clean up functionality that Sucuri product has (it’s probably does not look so cool for users who are skilled anough to compare files and database changes and do the clean-up by themselves though and thus analyze the holes in securuty). Again, most users want to have a sort of one-click clean-up or 1-click restore functionality with very little or no prior work with as little skills and knowledge as possible. And BPS Pro is just targeting more professional and tech-savvy users like you. Most other users want much easier, user errors prone solution with cleaner UI and smoother UX. Thus, I totally agree with you that BPS Pro is a fantastic monitoring and post-hack functionality, but I have to add that this is so for quite advanced users who know very well what they are doing. For less technical users (i.e. the majority of users, they have even never ever opened cPanel in their life) dealing with BPS is simply not their cup of tea, too difficult and too error-prone because of lack of technical skills or time to devote to managing it. As a final note, I’m sure that BPS Pro is an awesome tool in the right hands (like yours:)) And the fact that BPS is very affordable makes it a favourite choice of many advanced WP users.

Thank you for your reply and sorry for my late reply. Having thought about it I completely agree with you. I am fully comfortable with htaccess and php.ini files and why they are so important, yet I had to spend a considerable amount of time configuring and understanding BPS Pro as there is so much functionality to configure properly. I feel a beginner with their first WordPress site would really struggle to understand and configure BPS Pro to make the most of it and be able to recover from a successful attack in a short and painless manner. The support is excellent though and for the multi-site license price it is a fantastic tool for more experienced users that may not have a budget to afford Sucuri.

Hello Michael, Thanks for the great article! It was very helpful. I had a question regarding the MOST secure solution regardless of price. Would you say that would also be BulletProof Security? And I was also wondering IF I could combine WordFence Premium with BulletProofs to cover the holes in BulletProof Scan wise and such.

There are some conflicts between security solutions. Some of the conflicts can be resolved. See this section for more details.

BulletProof security is a great plugin, but mixing all the possible security solutions altogether is an overkill. In my article I’ve suggested balanced solutions.

I have not heard of unresolved conclicts between Wordfence and BPS. However, potentially mixing these security plugins can interfere.

If you already have Wordfence premium, I also suggest looking at this solution. Basically, in addition to Wordfence, the solution has offsite web application firewall (very efficient!) and fast reliable backup solution.

Thus, you can try adding BPS to your arsenal, but you will need to check if there are any issues after you start using it. The more security plugins/services you use, the more it’s risky to get a conflict.

Thank you Michael! Wordfence has been good but based on the price and your review of the protections of BPS and Sucuri I think I’ll go with that combo. I’m training in Offensive security myself so I can’t help seeing every opportunity for exploitation now, and there’s a lot! I like the fact that these two groups seem to take it seriously.

Hi Frank, Sorry for the issue. Not sure why it does not work for you, I will need to check it out additionally. Meanwhile, I’m sending you an email and will gladly subscribe you manually. Thank you for letting me know about it.

I want to use Sucuri Security , iThemes Security and All In One WP Security & Firewall (& clef for two factor authentication) , can you tell me these plugins are compatible with each ohter or not & Is All In One WP Security & Firewall is better alternative of BulletProof Security

wow great and detailed information with proper solution.I am new to wordpress and I have tried many security plugins but each and every time my blogs got infected . To overcome this i read many articles, followed huge number of blogs but most of them ended up saying choose whatever suits you . Finally i ended up using iTheme security + wordfence and ninjafirewall . But i was not satisfied with my this combination and finally your article and proper solution mentioned by you is totally satisfactory for me . My current setup is : Https + cloudflare free plan + iTheme security + wordfence + Ninjafirewall with changed login page and two-factor authentication .

Please suggest should i replace wordfence with Sucuri Security (mentioned in 10.2) , and remove ninjafirewall or not ? After reading your article your suggestion really means a lot to me .

I’m not a fan of free Cloudflare plan since as I know from reviews it can decrease the site performance (particularly make your site unavailable). But it works as one more free level of protection. I use a paid website firewall security solution from Sucuri (CloudProxy (WAF)) which is the most efficient website firewall on the market in the affordable pricing range.

As regards your configuration, I don’t know your concerns, but I think it’s too heavy and can affect negatively your site performance. if the speed is not the issue for you, then it may be okay.

The free configuration I suggest in 10.2 is optimized for performance with all sectors (protection, monitoring, scanning) being covered. However, if you have some budget, I’d recommend simply get rid of the most heavy plugins (e.g. especially wordfence, ithemes) and just use the paid website firewall.

I try to make my website as fast as possible (as well as highly protected) for a reasonable price. So, I use WAF, BPS (very light weight and effective for protection) and incremental backup solution. It’s the fastest (and very secure) combination I know without paying extra.

You should try LCS Security – works really well. My site was under a barrage of failed login attempts and some adware content got injected somehow. This plugin looks like a newcomer, but it really got rid of most hacking attempts and content injection within just a few days after installation.

What a great read. It took me 2 coffee’s to get through it, but worth while the time. Thank you. It made a lot of stuff clear to me. For my sites I am using impossible complicated passwords of 25 characters; random admin login name; Cleff 2-factor; pro version of updraft backups; A2 hosting protection; and AIOWP. I am very poisoned to purchase the BPS PRO. Do you think that this could be complementary and not a lot of conflicts? And is there anything else you like to add to complete the hardening package? I played around with Wordfence, but that is using a lot of memory resources at the server level. Thank you in advance and very best regards, Frans

BPS would duplicate a lot of functionality of AIOWP. Not sure about conflicts, but anyway I’d use either one or the other. After all, my choice is BPS, because it’s more professional. But at the same time AIOWP has a more beginner user-friendly user interface which can be a deal breaker for some users.

Also, if you have budget, it makes sense to go with an off-site firewall from Sucuri which is the most powerful and absolutely hassle-free offsite firewall option among affordable solutions on the market. Plus it makes your site faster thanks to its caching level located at Sucuri’s servers (I will publish a post about it in a day). It will be complementary to your security arsenal and that would be enough for your website protection.

Thank you. I already decided to acquire BPS Pro. After all this is a one time investment and very affordable. Regarding the Sucuri Firewall, this is way to costly. I run about 8 sites, mainly for artists, associations and NGO’s. Not a lot of budget there. More over, I am based in Brazil and with the USD very high at the moment, the cost of this is higher than a minimum monthly salary here. Can you please suggest me another firewall solution that complements BPS Pro and is more affordable? And also, are you saying that BPS Pro’s firewall does not cover enough protection? Thanks again and very best regards, Frans

Protection can never be enough. Anything can be hacked. The point is to make it too difficult for a hacking script or hacker to deal with your website.

Sucuri Firewall is different from others because it serves as an off-site firewall (a true website firewall). So this is a layer of protection that is located outside of your website and servers. BPS and other plugins is the protection that is located already within your website and it works a bit different way.

It could be a very rough comparison, but think of Sucuri as the protection suite for a doctor who deals with deadly contamination, and plugins as an immune system of the doctor 🙂

I have not heard of a more affordable solution that could replace Sucuri in your situation.

With multiple websites and limited budget, BPS Pro would be the best choice for you. Just one BPS Pro license allows you using it on as many websites as you want. Also, if you buy it, feel free to ask its support about your hesitations about the conflicts with other plugins. BPS Pro’s support is superb and will tell you everything you need.

Thank you Michael for the very comprehensive article. It made me wonder if my setup with iThemes Security Pro is sufficient or should I start looking into some additional plugins. I have backup with Backup Buddy and I’m happy with it. Also, what is your experience of switching from one security plugin to another? Have you encountered any issues in that area?

iThemes is a plugin, so it stays inside of your WP installation and has all disadvantages and risks that any plugin has inside your WP installation and inside your hosting environment. A true website firewall such as Suciri WAF (the one I use) will definitely make your website more secure, protects from DDOS and other malicious traffic and saving you a lot of bandwidth traffic.

A great bonus of Sucuri WAF is that it can also make your website faster thanks to its caching level (here’s my research on it)

As regards BackupBuddy, I’m not really a fan of it, although it’s quite popular among bloggers. I explain in this article why. In short, it’s less efficient than incremental backup alternative solutions, more risky regarding how fully it backups and more expensive if you are on a subscription.

Switching from one security solution to another is not a problem at all. It’s a matter of uninstalling a current plugin or/and adding/installing another product.

If you want to add another security solution, then you need to look after possible conflicts between plugins. I have this covered to some extent in this article in this section. And Sucuri WAF is 100% safe to add, since it’s an off-site and off-you-hosting firewall.

Feel free to contact me if you have an idea of your new security solution and I can confirm you that you are safe on your intentions 🙂

Hi Acil, Thanks for your question. You can not control CPU usage consumed by WordFence. The only things you can do are: 1. In order to reduce CPU load time you can scan your website less frequently than once per 24 hours (you can change it only in paid versions of WordFence) 2. Reduce interval of how often the live traffic data is updated (read more here). 3. Upgrade your hosting to have more CPU resources, e.g. take a managed VPS or self-managed VPS (if you know Linux well) . 4. Change your hosting provider and use managed WordPress hosting that takes care of your website security. 5. Use an alternative solution to WordFence. In this article you can find information about it. You can find some recommendations above.

great article, thanks. I am setting up my webpage and testing some security plugins.

What about the plugins that hide the wp-adimn or wp-login-php?! Should we install them as first security level? In the Bulletproof forum I found this answer from Bulletproof staff: “Trying to hide things would probably stop a human from clicking around and finding your login page or wp-admin page/folder, but this is not an effective security measure against hacker Bots. 99% of all hacker recon, hacker scans and hacker attacks are automated and done with Bots (not a human). You cannot hide things from Bots because they do not look for things visually. ”

Edward from Bulletproof Security knows his stuff very well. And I agree with him. I don’t think that hiding your login page should be your first level of security. On the first level you should have a strong password and updated software from a reliable developer (and backups). Then you security plugin plugins come into play. Hiding your login page is not very effective for the reason Edward mentioned. And in this scenario (bot or human hacker attack) 2-factor authentication or even a free plugin Stealth Login Page in conjunction with login limit attempts functionality work much-much better. At the same time hiding your login page can be an additional (and not compulsory) measure. But anyway, it’s not the first level of security.

Thanks for your comment. Indeed I use Generator for user name and for Password.

I like the combination: Sucuri + Backup. But it is really expensive! I have two domains and this would cost 500 $ a year. Sucuri does not offer any discount neither for start-up nor for Student! I think their main target group are companies not private persons.

Thus I moved to BulletProof. It is indeed not very intuitive, hard to setup and configure, but they have the best price for a pro version and they said, in the last 5 years, none of their over 30.000 customers has had a security problem!

Thank you a gain for this great article. It helped me choose the right security plugin and it is for me definitely Bullet Proof Pro.

Hi Laith, BPS Pro is a superb security plugin for very affordable price. Sucuri indeed targets website owners who can afford at least $10 per month (this is how much their Website Firewall costs). And this company offers the best security products on the market in its segment. BPS Pro’s support is fantastic. Even if something is not very clear from a technical point of view for you, you’ll get the assistance you need.

Hi Michael, I purchased BPS Pro. It is indeed great, but really hard to install and to configure! I don’t have the time to understand each warning and logs take care about it! It is logging my pro plugins. and to add exception for that ist really not inutiative. I must read the docs. I think Sucuri has user-frienldyl UI. I am thinking to keep BPS Pro for my second site and purchase Sucuri for my other site, which ist informative site and I will offer there services. So what plan do you recommend the basic or the Pro plan from Sucuri? Best regards, laith

Sucuri Basic and Pro differ by support time response, frequency of scanning and type of SSL certificate. And from a security point of view, there’s not much difference. So, Basic plan is enough if the above points are not important to you.

As regards BPS, indeed it frightens off non-technical users. But even if you just install it (running Install Wizard) and leave it as is after that, it does its work well. And the warnings you see in your WordPress dashboard are additional measures for even more security.

Anyway, of course Sucuri products are a higher-level security/monitoring product and it has unlimited clean-up option included with a beginner user-friendly interface. Sucuri is the best choice a website owner (individual and small/middle business) may have.

By the way, don’t forget to take care of your website backups. And then you are covered from any disaster and attacks.

If I may submit a suggestion regarding security: I had myself very good experiences with Sucuri (https://sucuri.net/): not only it does allow for a firewall (one that visitors won’t notice) and is very compatible with WP (minimal configuration required), but cleaning your site in case of hacking is included. However, it depends of your needs. And also, not all WP hosting services allow for Sucuri (the current one that I am using, for instance, has its own safety measures that are not compatible with Sucuri). Anyway, just wanted to report that I had only good experiences with Sucuri: reliable company and products. (Sucuri is not only meant for WP, but for any site.) A newcomer to the security field, and one meant for WP only, is Secupress (https://secupress.me/): this is from the same company behind WP Rocket (cache) and Imagify. But I have only made minimal testing, thus I cannot provide a well-founded evaluation.

Thanks for your thoughts and sharing your experience, Jean-Francois. As regards incompatibility of Sucuri Antivirus product with some hosts, I guess this is quite a rare case, especially with a typical hosting. For those managed or premium hosts which offer alternative website firewall or cleaning up solutions I assume it can be a case.

Hi, I read carefully each line of your article and I want to congratulate you! It’s written and contains very useful information that once implemented make your life easier thousand. I want to tell you that I chose Blogvault because allows me to see live the backup that i want to use it. I have only one question, can you please recommend a good solution for security? Thank you

what do you think about combining Sucuri Pro Plan with Wordfence Premium paid plan?

Sucuri is one of the best security for WP and their support is amazing! Wordfence has some very interesting & useful tools. Do these combinations work well? or does this slow down the loading-time or do these both block each other 🙂

Is this like computer malware scanners? It is not allowed to install two at the same time they block each other and have a lot of conflict.

I’ve seen Sucuri and Wordfence conflicting. But it kind of can be resolved. You can read more about it here.

However, I think it’s not a good idea to combine these two products. In my opinion Sucuri is a more preferable choice for many reasons including performance. WordFence is known to slow down your site because it’s a plugin all the intensive work is done on your server.

Sucuri Pro includes the best options that you can expect from a website security product including scanning your website back-end. And yes, a part of security products (scanning functionality) can be compared to computer malware scanners. By the way, if continuing the analogy with PC protection, Sucuri also has an external proactive protection (sort of a firewall or internet security you may use on your PC). Sucuri has Website Application Firewall included into its Pro plan. And WordFence does not have it because it’s not possible due to the fact that WordFence is just a plugin installed INSIDE your WordPress.

I described the best configuration for website security and peace of mind in this section.

However, if you love some specific features or tools from WordFence, I’d try to find a more performance-friendly replacement for them if possible to avoid using the whole WordFence if you use Sucuri Pro.

Also don’t hesitate to contact Sucuri’s support to know what they could suggest you.

the bottom line, using these both products at the same time is sort of overkill. I’d stick with just one of them (and I definitely prefer Sucuri because of better results, more peace of mind and better performance).

That’s a very interesting information. I have Wordfence on my website and it really does slow it down! According to P3 Plugin Profiler it takes about 40% of my website speed! This happens even though I have done some research and changed some settings (improved about a couple %). So, Sucuri is faster than Wordfence and still gets the job done? Where’s the catch;)?

Hi Dave, Thanks for your comment and your question. WordFence is the plugin that works completely inside of your WordPress and all work is handled by your server. Shared hosting suffers from such load. Sucuri is the product that runs its software on its servers, not yours for almost any activity (firewall, monitoring, scanning), and it affects your server to a very little extent. It connects to your server for scanning, but the software does not load your server even close as much as WordFence. You can have a look at these two articles (1, 2)

I just would like to mention that in times of lower and lower and lower content quality on the internet your posts are a miracle. You run an upstream trend that I hope will win some day. Be proud of what you do, really. Thank you for this post. Maybe people do not want to read long text, but I do. 🙂

Hi Mike, Thanks a lot for your comment! Yes, I’m proud of what I do 🙂 Of course, it takes time to gather all the information and write the long posts, but I guess my efforts will pay me back. People find my posts useful and it makes me feel I’m on a right way. Also, I try to make my posts scannable and I add table of contents so people could easily skip what they don’t need and get to the most wanted parts of the writings. And thank you for reading!

Hi Shirley, Thanks for the information. By the way, I’ve noted that some plugins are still not compatible officially with the newest WP version. For example, W3 Total Cache. But they work 🙂 Anyway, I don’t see any issues raised in the Sucuri plugin support thread about incompatibility.

Hello Michael, Your article has become my reference. It is the most comprehensive available and often referred to in the various FB groups. My only doubt is why you did not include AIOWP. This security plug in definitely belongs in the short list of big ones, although too little known. I would be very curious, and many with me, how they stack up against the others, Love all your research and honest opinions, Best regards, Frans

I also answer this question in this comment. The resume is that writing this article was a real challenge and it took much more time than I planned). Including more plugins into the list to review looked like a nightmare 🙂

Also, AIOWP is mentioned several times in other comments (Ctrl+F and search for “AIO” on the page).

After all, I have not looked very deep into AIOWP, but it looks good. I’d say it very roughly, that AIOWP from an ordinary user’s perception is something inbetween iThemes, Wordfence and BPS. AIOWP’s strongest side is its combination of firewall options (not very clear topic to most users) and other nice features (familiar to most users), plus friendly user interface.

At the same time AIOWP looks more user-friendly (and sexier) than BPS and this is a big advantage in the eyes of most users.

However I favour BPS (especially BPS Pro) more since it’s a more professional tool with more advanced options. But if someone finds BPS too difficult to deal with, AIOWP looks like a good alternative to use.

Hello Michael You’ve heard this over and over again but I will say this one more time: Your content is king! King in value, in relevance, in it’s super logical organization, and it’s efficiency. Keep it up! I found you on Quora while I was looking for answers about website security, and was immediately hooked over your content. And yes, I had also subscribed to your newsletter, Thanks! Here is my question which I assume could also relate to many other users: I am looking to backup and secure my website with Sucuri and Codeguard, but I have a problem connecting to CodeGuard: Codeguard provides FTP or SFTP connections, while my host does not enable FTP (plain text) on their shared environment – they provide FTP over SSL/TLS (FTPS) which is not supported by Codeguard. Now, I very much want to have Codeguard’s “time machine.” What would you suggest? Is it worth perhaps to move my website to another hosting service, isn’t that too risky? (My WordPress-based website is connected to a database that is hosted on Amazon AWS). Could you please advise, and if possible, I would also appreciate if you could suggest me a good tech guy or company that could do this transfer, and maintain my website and add features to my web application. Thanks!

Hello Nissim, Thanks a lot for your kind words. As regards CodeGuard, have you contacted these guys? I guess they should support your hosting security configuration. Transferring website to another hosting is usually free and is done by your new host. But switching hosts only because of backup system incompatibility is sad. Try to contact both CodeGuard and your current hosting so that the tech guys in both companies could resolve the issue if there’s any.

Yes Michael, I have obviously tried both support teams, CodeGuard and my hosting and they have both said that these are their given limitations of their systems. My hosting suggested that I could transfer my account to their VPS package if I would want to use FTP, but that package is more expensive so I’d rather configure my site all over again with a host that provides SFTP. Do you think that this is my better option if I want the CodeGuard service, or else? Thanks, Nissim

Hi Nissim, Well, I see. Very sad that you can’t use CodeGuard with your current hosting plan. So, I don’t see much of a choice here apart from either a VPS with your current hosting or going with a new hosting. By the way, in addition to files backup, there can be issue with your database backup as well (I don’t know if CodeGuard can handle the AWS database configuration with your current hosting). If backing up database is also an issue, then switching hosts is the only choice to use CodeGuard fully. If you decide to switch your host, then I suggest contacting the new host and CodeGuard to make sure both files and database can be backed up by CodeGuard.

WordFence’s strong side is scanning (and the most resource-demanding by the way). Of course, you can leave it out.

As regards Ninjafirewall, I don’t think it’s a heavy plugin (especially compared to Wordfence). Although Ninja’s functionality is overlapping with Bulletproof Security. I’d use either one of the other.

As regards brute force attacks protection, Bulletproof does it for you. But remember that like any other plugin (including Ninjafireall, Wordfence) its protection is located on your WordPress (server) level. True brute force protection can be done only with an external web application firewall (e.g. Sucuri WAF).

Came across this article recently. I am using wordfence. It does the job pretty well but I have a feeling that it slow down my websites. After reading this, I am planning to switch to Sucuri. Thanks for this wonderful article

I recently started to deal with WP and of course one of the very first points must be security. Unfortunately I could not find your post immediately but on the other hand it is gave me the chance at least to get ready to understand your rather comprehensive analysis. Indeed I love the way you are approaching this topic.

On the other hand I do not fully understand your evaluation concerning its protection. Based on different articles I had the impression that Wordfence is stronger in protection. But of course it could be also the result of their good marketing. I also don’t fully understand why the evaluation is the same for the free and paid version concerning protection. My understanding is that the firewall definition of the free version is behind the paid version with 30 days. That must make a difference. (A 30 days old virus definition on a PC would certainly fail on any security audit)

I fully agree with your statement that as a start the protection is the most important classifier. (It is better not to get into trouble than find out how to get out of it :)) So as a result of your analysis probably I will try out Bulletproof too.

In general, as regards star rating, it’s complex evaluation and can’t be taken as a linear approach. In other words, 3 stars for one product is not always equal 3 stars for another product because of different approach to the functionality.

However, I fully agree with you about 30-day delay in applying firewall rules in case with WordFence (I think this was added not long ago).

HI, thanks for you for this awesome article. I found a number of solutions don’t cover these three simple but dangerous TO DO’s on wordpress https sites. I am using ithemes security and pro, I see no resolution of that. Does Bulletproof help with that?

Hi Andy, Thanks for your interesting question. I guess a much better place where you can get a technically precise and detailed answer for your question is the BPS Pro forum. It’s free to register on the forum and post any requests. I’m sure you’ll get a reply that will fully satisfy you. Also, there’s a search form on the forum on the right hand side.

SG Site Scanner uses basically the same malware/blacklisting scanning functionality as the Sucuri plugin (actually its malware scanning option only). Core integrity is not checked by SiteGround (and checked by the plugin).

However, SiteGround offers automated malware/blacklisting scanning. Whereas the plugin does NOT do malware/blacklisting scanning in an automated mode – you need to run it manually each time in the plugin instead.

Also, SiteGround offers scheduled email reporting (scheduled and informing you in case of contamination). Whereas using the plugin you need to go to your WP dashboard to see how it all is going on and whether your site is safe and clean.

Besides, SiteGround offers even easier user interface/setup (can be a plus for newbies).

Thus, SiteGround has an integrated and more convenient for end user functionality for malware/blacklisting scanning. But the malware/blacklisting scanning core functionality is basically the same. And the plugins has additional options – core files integrity checks.

After all, please note (just in case) that both tools (SG scanner and the plugin) offer remote malware scanning. For server-side scanning you may want to use Sucuri Antivirus product. Also, both options (SG Scanner and the plugin) do NOT do website security protection, only scanning/monitoring is offered. For the pro-active protection you need either Sucuri Firewall or Sucuri Antivirus.

Thank you for such a detailed reply. You explained it much better than Siteground.

Since I do want more pro-active protection, but cannot afford Sucuri’s Firewall or Anitvirus (I have several websites that I need protected which would be about $600 with Sucuri), do you think that Bulletproof Security Pro (paid) would be a good option for a combination of protection and scanning?

Hi Jon, BulletProof Security Pro is good for protection (the most important part of a website security). It’s very good as a htaccess-level firewall. But BPS Pro is not for scanning. As regards scanning, it’s a separate job and it’s most efficient on a server-side (Sucuri Antivirus offers that). Plugins for scanning can be also used, but they are less efficient (and more your server resource demanding). WordFence or Sucuri free plugins can be used for scanning. By the way, using just BPS Pro as a protection layer plus some additional basic tricks and security hygiene that I describe here will actually make your website much more secure than the most websites on the planet.

How I ended up here is because of Bluehost. I received an email last week that they had detected malware on one of my websites (they would not tell me which one – I had 9) and immediately deactivated my account and all of my websites. They routed me to Sitelock (a partner) and told me the only way to reactivate my account was to pay them $500. I think the whole thing is a scam, I did not pay them (paid an independent malware remover $260 which took 3 days) and have now migrated to Siteground.

So not wanting this to happen again (despite using all kinds of security precautions like the ones you mention on your “Protect Your Website from Hacking” article) – although again, I’m not 100% sure I even had any malware (I will never use an EIG hosting company ever again) I’m looking for a more proactive approach.

When I contacted Siteground they tell me this: “Even if malware manages to reach your sites through our 3-level security, we will notify you of it, provide you a list of the infected scans, and allow you 5-7 days to clean out the malware”

And then another review of Siteground says: “Siteground hosting starts with a powerful firewall that blocks access to your site and continues with close monitoring of any vulnerabilities that exist in WordPress files. That includes WordPress core files and popular plugins.

When the host discovers vulnerabilities, it implements server-level fixes to protect your site while the developers of the files in question work on updates.”

So now I’m thinking with Siteground’s 3-levels of security, a firewall that blocks access to my site with monitioring, why should I even need to install any other security plugins? Am I missing something?

As regards your question about why you should or should not protect your site even more than a particular level, the short answer is there’s no such thing as enough protection. Even the most protected servers like Pentagon’s are hacked. The whole point is in balance between the risks of being hacked and the resources you input to protect your site. By implementing more security layers you decrease the probability of getting hacked.

Here’s a simple example. Assume that a new vulnerability is found in a plugin that you use or in a WordPress core. How do the hosts and WP users get to know that there’s the vulnerability? The simplified answer is that a lot of sites start getting hacked and number of very risky and untypical requests increases very sharply. Security systems (like Sucuri) determine such malicious activity in their net of the websites they monitor, and they issue a blocking firewall instruction (a patch). And then this patch is implemented by other firewalls in other companies (e.g. hosting) and software developers (e.g. plugin or WordPress core developers). This process takes some time and meanwhile alot of sites are vulnerable.

Before a patch is implemented by all plugin developers, security plugin developers and hosts your site remains vulnerable and can be hacked. you webhost can have a firewall but it still might let this new threat go through.

It’s a very simplified example, but it demonstrates that the more security layers protecting different parts of your website you have the more secure your website is. But anyway you can’t be 100% secure. Security is a process, it’s an evolving game between hackers and security systems.

At the same time it is simply not practical to use as many security tools and options as possible because it’s an overkill (overlapping functionality, overloading your server, compatibility issues, too expensive etc).

As regards SiteGround, it has better security than the most other shared hosts, but it does not guarantee that you are safe (read this). It’s too expensive for a shared hosting to implement very strong security.

If you don’t have budget to use the best in the field Sucuri products, then I’d recommend using at least htaccess firewall and two-factor authentication. Even a free versions of the plugins which provide htaccess firewall (e.g. All In One WP Security & Firewall or Bulletproof Security) will significantly reduce risks of being hacked by the most spread hacking methods. However, the plugins (as well as custom firewalls of hosts including SiteGround’s firewall) are limited in their efficiency (no or limited pro-active protection). And they are not efficient against newest threats that only the best firewall systems (e.g. Sucuri WAF) can handle. Only after some time plugins and WP developers (as well as hosting firewall rules) can catch up and add new firewall rules to protect you from these threats or update your software.

Also you can read here about a recent example of WP vulnerability and estimate how much time passed after the malicious scripts and hackers started utilizing the breach and the time when a hosting and developer community became aware of the vulnerability, how much time it needed for WP developers to apply the patch, how much time passed then for WP sites owners to update WP version. And you will see that the point of website protection is a game with risks. Using a hosting with some security layers is good, but still quite risky.

I would not feel secure relying only on hosting security, unless it’s a fully manged hosting (much more expensive host) that explicitly guarantees with realistic proof to take care of your website security.

Thanks for that explanation. Now I better understand why and what’s needed for security. I think I will try BS Pro and implement everything you mention in your protect your website from hacking article. I will also read your article on using UpdraftPlus backup and restore with Google Drive too. Thanks again for your explanations and your website – I’ve bookmarked it for future reference.

Excellent round up of security plugins that can strengthen our WordPress Websites. I use both Ithemes Security and Wordfence in securing almost all my websites and I can tell the y are really efficient.

I have also used Securi for scanning and uncovering securtity issues in some clients websites that were hacked It is also a good plugin.

hi michael, thank you very much for this wonderful detailed article that really helped me alot even protect your web site article i implemented most of it on my wp even the comments i read them all, ( yea i spent that much time on your articles ;P ) i just have to ask you i’m new to wp but i believe that i’m fast learner in that field, i’m on budget right now so i bought the mail necessary plugins that would save me some i’ve bought the next WP-Rocket for caching and its really making difference in my wp load time Bulletproof Security Pro and configured it well and its really very good plugin and i disabled the JTC antispam part and i installed the free new Invisible reCaptcha by google i also used 2FA with miniOrange 2 Factor Authentication its really good for app generated TOTP Codes, and i also used UpdraftPlus – Backup/Restore (i might consider codeguard in da future) plus spam protection by Akismet Anti-Spam

so my question is witch free security plugin for scanning should i use or you recommend something else as i can’t afford Sucuri Antivirus to make it complete my bulletproof security pro.

Thanks a lot for your kind feedback and being an advanced reader of my articles!

As regards a free option for scanning, I favor free Sucuri Scanner plugin (I describe it in this section). It’s light-weight compared to WordFence. However, if you want the most powerful scanning option for free then you may want to choose WordFence. Also, see some possible compatibility issues here.

Hi Jose, thanks for your comment. There’s a compatibility issue between BPS and Sucuri, and between Sucuri and WorFence. They can be resolved. Look at this section above for the appropriate links. As regards compatibility regarding htaccess file, there are no issues. So, you can use W3TC and BPS (Pro) without issues (I use the same configuration).

Wow this is very complete review, I came from google to find an information about BPS premium, because no offence their site is confusing. So thanks to create simple review of each products.

I’m graphic designer and completely beginner in website and hosting area, when first created a wordpress site hacked many times, server collapse because DDOS, got brute force attact, etc.

Then I’m using BPS free, combined with loginizer paid, wow I never dealing with hackers anymore. I tried wordfence but I think it’s heavy if I checked it on my server resources used.

And I check at sucury, sucury detect my site has a firewall, I’m not sure where the firewall came? do you think it’s from BPS? And when I ask a cyber security guy to check and test to hack my site, he told me that my site super secure from beginner and intermediate hacker, the one who can hack it must be “another level” hacker, which is impossible they want to hack my site because my site is just small site not ecommerce.

Btw, even my site is secure but I’m paranoid, do you think I should upgrade BPS to paid version?

Thanks Michael, I believe you spend many hours to create this detailed article 🙂

As regards detecting firewall, I’m not sure where it case from. BPS is considered to be a firewall on htacess level. But BPS is not a true web application firewall like Sucuri WAF that is located outside of your installation.

By the way, how did you find out that your website is under firewall? You mentioned you used Sucuri. If you mean https://sitecheck.sucuri.net/ then it does not detect BPS as a firewall.

As regards updating to BPS Pro, I’d not say this is a must. Getting BPS Pro adds advanced tools and protection against more sophisticated hacking ways and malicious traffic. For beginner websites it’s more important to maintain a clear hygiene such as using plugins from trusted developers, keeping your plugins and WP version updated, using strong password etc that I describe in this article 🙂

However, if you feel or notice that there’s a suspicious or malicious traffic to your website, then it makes sense to pay attention to additional security measures.

At the sane time, for peace of mind it’s justified to get a pro version, especially considering it’s just on-time quite little payment. But generally, even a free BPS version in addition to other free preventive measures should be enough for a small site to make it more secure than the most of other websites in the world.

By the way, most websites are hacked not by human hackers, but by bots which exploit vulnerabilities. From this respect BPS Pro is a more advanced tool.

I am searching for WP security plugins to enhance my shared host’s security so I’m glad I’ve found your unbelievably informative articles here! I just finished reading the entire article as well as the comments however I’m still on the fence about which plugins to install.

I’m a complete beginner to WP administration and am working on a project with a limited budget so I’m interested in a comprehensive free solution that is user friendly to a beginner.

I’ve seen your recommendation for combining BPS free, Securi free, and Wordfence free in section 10.2, however your description of BPS makes me concerned I’ll actually be able to configure it correctly as well as configuring any compatibility issues without breaking my site. In addition, it sounds like I would like to avoid Wordfence due to it’s resource heavy scanning.

Would you still recommend BPS free + Securi free + WF free for a complete beginner looking for a free comprehensive security strategy, or would something like All In One WordPress Security and Firewall be a better solution for someone like me who is just starting out learning and on a bootstrap budget?

Sometimes a lot of information does not make things more clear. I understand it and I feel your uncertainty.

Answering your question, BPS free + Sucuri free + WF free is still fine for a complete beginner. You just may try it yourself and see if it’s overwhelming for you or not.

By the way, BPS has one button setup, so you just install it, press the setup wizard button and you are done. Its beginner-user complexity lies mostly in its user interface if you want to apply extra protection or understand it inside out.

You also don’t need to worry much about WordFence if you have a small website. If you have a big website, then its affect on performance may be an issue. Also, to avoid possible performance issues make sure you disable live traffic view (in case you don’t really need it).

As regards ‘All In One WordPress Security and Firewall’, it does not fully replace the above combination of plugins. But if you want a lighter solution, you can give it a go.

And of course don’t forget about security hygiene such as password strength, updating software etc that I describe in my other article about basic website security.

Hi Yard, Thanks for your feedback. As regards All In One WP Security & Firewall plugin, it’s discussed quite a bit in the comments. Please search for “AIO” and “WP Security & Firewall” on the page (Ctrl+F if you are on PC).

Awesome article, I was looking for a comparison article that was ‘real’ (and wasnt written by one of the companies SEO guys;)

I was considering BPS and wanted to get the low down just to make sure the features i was reading stack up in the real world, and against the competitors. I like the suggestion of using with WAF, something im looking into now;)

Your article has given me the confidence that BPS is going to be spot on, and offer a very good level of security and easily fits the real world budget…in fact its an abosolute steal at the price to be fair:)

Again many thanks, what you do takes alot of time and expertise and its greatly apprecieated, keep up the great work…just gonna make another coffee and check out some more articles:)

Hi Steve, Thanks a lot for your feedback. Indeed, BPS is a bargain. The guys behind it are developers in their bones and fans of security things. But they don’t (or better to say, can’t) pay much attentions to marketing and visual attractiveness of their both plugin and website. That’s why it makes them the choice of more techy clients.

Hey, Thanks for sharing such a huge blog of “Best WordPress Security Plugins”. I will surely use one of them and give more security to my website. ——————— Thank You!!http://wpall.club/author/editorteam/

Hi Michael This is really a great article , and I found some answers to some of my security questions , however , I couldn’t a solution for the worst problem I have now in my blog : Affiliate links Fake Clicks , some how , when I ever write a new article I found hundreds of fake clicks on any affiliate link mentioned in the article , till now I couldn’t find any solution for this problem anywhere ! Do You have any idea about one? any way , thanks for this great article , it helped me a lot with other problems 🙂

As regards fake clicks, I just can think of automated bot crawling events which are counted as clicks. I suggest analyzing your analytics data (and logs if you can) to find out from what web agents or referrers this fake traffic comes. Look at this article at Moz. It also has some links at the end of the article for more information.

Also, you can read my short article to see an example how I used to protect my website against some fake traffic.

By the way, after I started using Sucuri Website Firewall (I review it above) I stopped seeing any traffic from suspicious referrers in my Google Analytics and all my affiliate clicks statistics in all affiliate programs I participate is realistic.

Have you tried to create another user name with Administrator role and log in using that new name (as suggested in the support thread I’ve mentioned)?

Also, perhaps, your current user name is already locked in the plugin. You need to unlock it. (By the way, no need to delete the plugin if you a re locked out. Do this instead: Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder name to /_bulletproof-security and login to your website. After logging into your website, rename the /_bulletproof-security/ plugin folder name back to /bulletproof-security/. Unlock your User Account on the BPS Login Security and Monitoring page.)

If the above two solutions don’t help, I suggest posting your issue in the plugin support forum. You should get a better help there and you’ll resolve your issue.

Hi Michael, Great post, it convinced me to go with Sucuri AV solution. My site runs on cloud VPS and I am currently using Wordfence plugin (free) in addition to a “typical” Apache security suite (i.e. ModSecurity, iptables firewall, fail2ban jails). After switching to Sucuri AV, I am planning to get rid of Wordfeence (seems to be redundant with Sucuri WAF), but plan to keep Apache stuff… do you think it’s a good idea? Also, you are recommending CodeGuard for backup… I don’t really think I need it as I run scheduled full backups on my VPS and FTP them to my local machine on schedule. This way I can restore the entire VPS, if needed. With this setup, will CodeGuard give me any benefits? Thanks for your time reading and answering this!

As regards using CodeGuard, it depends. But I think that in your case it may be not justified if you already have a backup solution that works well for you.

There are a couple of advantages though that you may benefit using CodeGuard in your case.

1. CodeGuard’s backups are incremental. So, if you have a big website and making a backup takes a lot of server resources, then it may make sense to use CodeGuard.

2. CodeGuard sends daily reports by email informing you what has changed on your website. It’s sort of additional layer of a website security that I find pretty convenient from a user point of view. I get notified each day that my backups are generated fine and I see whether there are any unauthorized changes on my server. Not sure if these arguments matter much in your case.

3. CodeGuard sends alert notifications by email from CodeGuard’s server if creating a backup failed (e.g. your website was down). Most other backup solutions rely on a php function to send emails which may fail as well if there are issues on your website’s server. And you may stay unaware that there are any problems. Using CodeGuard adds a bit more peace of mind this way. Not a deal breaker in many ways, but still it’s a nice addition.

So, whether or not you may want using CodeGuards depends on how comfortable and efficient your current backup solution is. My general recommendation to use CodeGuard is based mostly on the idea that CodeGuard is more reliable, efficient and comprehensive (and sometimes even cheaper) than WordPress backup plugins or other cloud-based backup services. So, in your particular case your priorities may be different.

Getting rid of WordFence if you use Sucuri AV sounds like a good idea. WordFence’s strong side is scanning functionality. But if you use Sucuri AV, it already includes a stronger and more efficient server-side (as well as remote) scanning and monitoring. By the way, there’s an article on Sucuri’s site about it). Moreover, Sucuri does its job much more gently than WordFence (WordFence is known to load a server much in some cases).

As regards Sucuri WAF and a “typical” Apache security suite, I think it’s a good idea to contact Sucuri’s tech support and ask them whether you need to configure specifically your server security. I’ve heard there can be conflicts, e.g. ModSecurity blocked all traffic from Sucuri WAF.

Thank you for breaking down and clarifying such an important topic! I feel much more informed after reading several posts on your site. What I still am unclear about is SSL certificate. From what I understand, I can get it separately, although reputable hosts usually provide it (too late for me, but will switch to a good one upon renewal). How important is SSL certificate? I don’t think Bulletproof Security and Sucuri Security (the free versions) offer that, correct? I also read that SSL certificate affects Google rankings – is that legit or just hype, do you know?

Although Google announced that they give some preference to https websites (1% of websites may be affected), in my opinion and considerations, the ranking effect is more a hype or a bait than something real. I can’t say for sure, but I would assume that the one percent of the affected search queries that Google talks about might be connected with e-commerce sites which didn’t use https or something like that.

After all, I believe the phrase ‘Google gives a ranking boost to https sites’ is a hype based on a Google’s strategy of a different kind.

If your website is not connected with e-commerce or getting your visitor’s sensitive information, SSL did not (and still mostly does not) really make sense.

So, for ordinary websites or blogs which do not gather users’ sensitive information, SSL is more sort of reputation thing than anything else. I still don’t really see enough practical reasons to use it (and I don’t use it as you can see on this blog).

However, Google is more and more encouraging people to use https even if you have just a simple blog. For example, Google Chrome web browser may display ‘not secure’ icon in the URL field.

And if Google goes further in its intention to turn the Internet into https-Internet by adding dreadful warning signs on non-https sites, or if Google announce more arguments, or if my visitors will start telling me that they feel more comfortable seeing my site with https, then I’ll consider moving to https. But, for now, I’m too lazy to switch to https 🙂 But sooner or later I’ll have to switch to https I think.

Since I know you use Thrive Leads, I thought you might like to know that the team at Thrive Themes just told me Sucuri has problems interacting with Thrive Themes. They recommend WordFence Security if you are on Thrive Themes. (I tried using Sucuri and it caused me to be locked out of logging into WordPress.) Thought I’d mention this in case any of your readers encounter this.

I use both Sucuri and Thrive Leads and no issues. Recommending using WordFence instead of Sucuri sounds not clear to me mildly to say. Also, I don’t understand how exactly Sucuri may conflict with ThriveThemes and why it could not be resolved easily. I’ll contact Thrive Themes guys for details.

Also, I’ve never had no issues with Sucuri of being locked out. Only when my IP changed, but it’s normal. And I just needed to whitelist my new IP in Sucuri’s dashboard. You locking-out case must have been something pretty specific. What did Sucuri support tell you regarding it?

Update: I’ve contacted both ThriveLeads and Sucuri. Here’s the information for all interested: Nothing wrong using both products. If you encounter a problem, this would be an isolated issue that should be handled specifically. if this happens, feel free to contact Sucuri support and the guys will help you resolve your issue.

Endpoint security (WP security plugins such as WordFence) is a part of website security. But Endpoint security can not handle widespread DDOS attacks from disctributed IPs (whereas cloud WAFs can). Deeper level of DDoS attacks protection can’t be handled at all and/or costs of it would be too much to be discussed here (among non-profit bloggers or small and mid-sise businesses).

So, Cloud WAFs are great and do their part of work great. At the same time cloud WAFs are also only a part of website security. There are several layers of your website security:

As regards particularly Sucuri Cloud WAF, it lets you add some simple lines of .htaccess code to protect you even if a hacker (malicious bot) knows you server original IP. Although it can’t protect you from the load that is caused by DDoS attacks on your original IP. And of course, WordFence can’t do that all the more so. This is what your hosting should do. But this level of security is too deep that most hosts (not only shared hosting providers) don’t offer. This is something that can be handled for much higher pricing tag. And most website owners can not cope with such costs (even anything close to such prices).

Besides, as regards DDOS attacks, Could WAFs inlcuding Sucuri can protect you from the most attacks whereas Wordfence (and other endpoint solutions, i.e. WP plugins) can not.

Anyway, such threats when deep level DDOS attacks happen are not common. And if they occur, this is rather a specific attack which is sort of ordered by your competitor if you have a very serous business. It’s very unlikely to happen with a typical website.

Also, Could WAF filter most malicious traffic. This is the most common problem that Cloud WAFs solve (and WP plugins can not solve).

By the way, however strong your website security is, it’s possible to hack your website. The question is only in how much expensive it is for the hacker. Both CloudWAFs and WP security pugins do their parts of work. And my opinion on the strategies how to protect a website is presented in this article.

As a resume, the questions raised in the article you linked to are rather marketing wars between website security companies than anything else 🙂 But it’s useful for education purposes though.

Hi Thomas, Thanks for your comment. The purpose of this article was not to review all the security plugins. Anyway, you can find a lot of information on AIOWP plugin in the comments. You can search for “AIO” and “WP Security & Firewall” on the page (Ctrl+F if you are on PC).

Tracey, thanks for your comment. Yes, there are different security plugins which are pretty successful in their niches. I’ve reviewed some of the most popular and well-acknowledged plugins/website security solutions.

One of my clients is running both Securi and WordFence in unison so occasionally they’ll receive a false positive notification then ask me if it’s ok. I’ve created this image to be sent in every future email that matches the proper context: